Job Applications Sent to the Wrong Recipient

The Scenario

It is Thursday afternoon in the HR department of Greenfield Engineering Ltd. Recruitment specialist Claire Brennan is having a stressful day. Three positions are open simultaneously, 87 applications have arrived in the past week, and the department heads are pushing for a shortlist by Friday.

Claire composes an email to the Head of Production, Mark Harrison, and attaches the six most promising applications. Resumes with photos, dates of birth, and home addresses. Cover letters with personal details about family status and salary expectations. Reference letters from previous employers. One candidate has even included a copy of their driving license and work permit.

Claire types "Harrison" into the recipient field. Autocomplete suggests: Mark Harrison. She clicks, hits Send, and turns to her next task. Twenty minutes later, her phone rings. On the other end is not Mark Harrison, Head of Production. It is Martin Harrison — an external supplier who has been in the company address book for years.

Martin Harrison has already opened the email and seen the attachments. He reports it responsibly, but the damage is done: six people who applied confidentially to Greenfield Engineering are now known by name to an outsider. Their resumes, addresses, dates of birth, and in some cases highly sensitive documents are sitting on the computer of a supplier over whom Claire Brennan has no control.

What follows is a cascade of reporting obligations, notifications, and uncomfortable phone calls with applicants who rightly wonder whether they can trust this company with their data.

The Risks

Breach of applicant confidentiality: Job applications contain highly sensitive personal data — often more than any other form of correspondence. Names, addresses, dates of birth, photographs, family circumstances, health disclosures in disability statements, and detailed career histories. A single misclick exposes all of it.

Reputational damage with candidates: The affected applicants submitted their data in confidence, often while still employed elsewhere. If it becomes known that they applied to another company, the professional consequences can be severe. Their trust in the potential new employer is irreparably broken.

Uncontrollable data distribution: Once the email has reached the wrong recipient, there is no guarantee that the data will actually be deleted. The recipient may have already synchronized the email automatically, forwarded it, or backed it up. Complete deletion is practically impossible to verify.

Competitive intelligence risk: In this specific case, an external supplier has gained insight into the company's hiring strategy. They now know which positions are being filled, what qualifications are sought, and what salary levels are acceptable. This knowledge can represent a competitive advantage.

Chain reaction of negative reviews: In the age of Glassdoor and Indeed, data breaches in the application process spread quickly. A single incident can deter qualified candidates from applying to the company for years.

Legal Consequences

The GDPR sets high standards for the handling of applicant data. A misdirected email is a reportable data breach.

Art. 33 GDPR — Breach notification: The incorrect delivery of application documents to an unauthorized third party constitutes a personal data breach. The company must report the incident to the competent supervisory authority within 72 hours, provided there is a risk to the rights and freedoms of those affected — which is regularly the case with applicant data.

Art. 34 GDPR — Notification of affected individuals: Given that application documents contain extensive personal data, a high risk must be assumed. All six applicants must be promptly and individually informed about the incident.

Art. 5(1)(f) GDPR — Integrity and confidentiality: The company is obligated to process personal data in a manner that ensures appropriate security. Sending unencrypted application documents via email without additional safeguards violates this principle.

Art. 32 GDPR — Technical and organizational measures: The company should have implemented measures to prevent such misdirection or at least minimize its impact — for example, through encrypted transmission or a secure platform for document exchange.

Fines: Data protection authorities have made clear that even individual misdirected emails can be subject to fines. In practice, authorities have imposed fines between 2,500 and 15,000 euros for comparable incidents. For repeated violations or inadequate response, amounts rise significantly.

Compensation claims under Art. 82 GDPR: Affected applicants have a right to compensation for non-material damage. Courts have increasingly awarded amounts between 500 and 5,000 euros per affected applicant in recent years.

How to Prevent This

Human errors like email misdirection can never be fully eliminated — but the right systems can reduce the damage to zero.

1. Upload links instead of email attachments: Rather than forwarding applications by email, create a secure area in SendMeSafe for the department. Application documents never leave the system and are never sent as unprotected email attachments.

2. Secure file sharing with access controls: Share application documents with department heads through password-protected share links. Only authorized persons with the correct link and password gain access. A misdirected link alone does not expose any data.

3. Granular permissions: Give department heads access only to applications for their own positions. This upholds the principle of data minimization and reduces the attack surface.

4. Complete audit trail: With SendMeSafe, every access to application documents is logged. You know at all times who viewed which documents and when. In the event of an incident, you can immediately determine which data was actually compromised.

5. Automatic expiration dates: Share links can be given an expiration date. After the recruitment process concludes, the links are automatically deactivated — an elegant implementation of the deletion obligation under Art. 17 GDPR.

6. No data on local machines: All application documents remain on encrypted European servers. Nothing needs to be downloaded, copied, or forwarded via email.

Conclusion

Email misdirection is one of the most common data breaches in companies across Europe. The autocomplete feature designed to make our daily work easier becomes a risk factor when sensitive data is involved. With job applications, the consequences are especially severe because the individuals affected have entrusted the company with their most personal information.

The solution does not lie in greater care — because mistakes happen — but in systems that catch mistakes. SendMeSafe eliminates the risk of email misdirection entirely because sensitive documents never leave the system as unprotected email attachments. Start your free trial and manage applicant data securely from today.

Frequently Asked Questions

Do I need to report a misdirected email containing job applications to the data protection authority?

In most cases, yes. As soon as personal data is sent to an unauthorized recipient, a personal data breach under Art. 33 GDPR has occurred. The report must be made within 72 hours. Only if the risk to those affected is demonstrably low — for example, because the email was verifiably not opened and was deleted — can reporting be waived. With application documents containing extensive personal data, establishing a low risk will be difficult.

Is it enough to ask the wrong recipient to delete the email?

Requesting deletion is an important first step, but it is not sufficient on its own. You must document the incident, inform the supervisory authority, and notify the affected applicants. Furthermore, you cannot reliably verify that the data was actually fully deleted — email backups, automatic synchronizations, and local copies are beyond your control.

Can applicants claim compensation if their documents are misdirected?

Yes. Art. 82 GDPR grants affected individuals a right to both material and non-material compensation for data protection violations. Courts have awarded amounts between 500 and 5,000 euros per person in comparable cases. For particularly sensitive data — such as health information or disability documentation — the amounts may be higher.

How can I prevent application documents from being forwarded by email?

The safest approach is to avoid sending application documents by email in the first place. With a platform like SendMeSafe, you can give department heads access to application documents through secure share links without any documents being sent as email attachments. Additionally, establish internal policies prohibiting the forwarding of application documents by email, and train your staff regularly.